In today's world, financial and other transactions are often conducted by way of the Internet, with banks and other institutions providing online Web-based account access for their customers. In order to access his/her account, a customer typically identifies him/herself on a webpage by entering a unique customer identifier (which is not secret), and subsequently entering a PIN or passcode or password (which must be kept secret and is known only to the customer and to the computer system that the customer is trying to access).
A weakness of existing systems is that the computer being used by the customer to access the bank's computer system may have been infected with malware, in particular keystroke loggers, which can record the keystrokes made by the customer when accessing his/her account. The keystroke logger can then transmit the logged keystrokes to a third party, who can then access the customer's bank account without difficulty by using the unique customer identifier and PIN/passcode/password combination.
Another problem is that of “shoulder surfing”, where a person standing near another person using an ATM, a code entry door lock or an EPOS (Electronic Point of Sale) keypad in a shop can easily determine a PIN that is being entered. It is also known for thieves to tamper with ATMs by installing card skimmers and small video cameras to capture PIN entry, or for dishonest shopkeepers to skim cards and note down customers' PIN codes as these are entered on EPOS keypads.
Efforts have been made to reduce this problem, for example by requiring that a customer does not use keystrokes to enter his/her PIN, but instead uses screen-based interfaces employing a mouse, pointer and drop-down menus, or a touch-screen interface. While the use of a mouse and pointer, for example, can overcome the threats posed by keystroke loggers, there are more sophisticated malware programs that can detect the position of a pointer on a screen, and hence can deduce the data being entered if an interface with a fixed virtual keypad is employed.
Examples of improved interfaces are known from U.S. Pat. No. 6,549,194, where a device for entry of a PIN is provided with a touch screen, and wherein a numerical keypad is displayed on the touch screen for a user to enter his/her PIN. In order to hinder keystroke loggers or similar malware, the touch screen display is configured to change the layout of the numerical keypad between uses, so that malware will not be able to determine which number is represented in any given transaction by the portion of the touch screen that is activated.
US 2004/0225601 discloses an ATM or POS (Point-Of-Sale) device where a user inserts his/her bank card and then enters a PIN in the usual manner. The user is then prompted to enter a second PIN or security code, this time using keys of the ATM or POS that are not normally used for entering numbers. Instructions are displayed on the screen to show the user which keys correspond to which numbers.
U.S. Pat. No. 7,992,007 presents a virtual keypad on a display screen for a user to enter a PIN by clicking on the virtual keys with a mouse-controlled pointer. The size, layout and geometry of the virtual numeric keypad and of the keys making up the keypad are changed each time to hinder malware that detects the position of a pointer on a screen.
It is known from U.S. Pat. No. 7,392,388 in the name of the present Applicant (the entire content of which is hereby incorporated into the present application by way of reference) to provide an identity verification system in which a user can identify himself to a bank or merchant computer or the like by applying a relatively simple protocol to a challenge string received from the bank or merchant computer by way of an SMS message, or a secure website by way of a Hypertext Transfer Protocol Secure (HTTPS) connection, or an email communication or the like. The user is in possession of a short numerical code, analogous to a typical Personal Identification Number (PIN) commonly used as a security measure together with a credit or debit card. This numerical code, which may be four digits in length (although other lengths may be used), is known only to the user and to the bank or card issuer. The user applies the numerical code to a pseudorandom security string issued by the bank or card issuer, by selecting characters from the security string, on a positional basis determined by each digit of the numerical code, taken in order. For example, where a user numerical code is “2473”, and the pseudorandom security string is “396&fty7d3GG9”, the user would return “9&y6”, with “9” being the second (2nd) character in the security string, “&” being the fourth (4th) character, “y” being the seventh (7th) character and “6” being the third (3rd) character.
As an alternative to selecting characters from a security string on a positional basis by way of a numerical code, the user may do so on the basis of applying a secret shape or pattern to an array of security digits (rather like a Cardan grille), although computationally the method is similar to that described above.
A special advantage of the type of encryption disclosed in U.S. Pat. No. 7,392,388 is that it is relatively simple for a user to apply mentally, although an applet or small application running on a mobile device owned by the user could also be used, while still being reasonably secure. In particular, assuming sufficient redundancy in the pseudorandom security string, it is not easy for a third party to deduce the user's PIN or numerical code, even if both a pseudorandom security string and a returned response from the user are hijacked.
It is also known, for example from US 2011/0060912, to input a password by way of a touch-sensitive display. A password array having a plurality of characters is displayed, the characters being arranged in a first order. The system detects if a permutating signal is received, and generates a password array having a plurality of characters in a second order. In other words, the system comprises a touch-screen PIN entry interface where the keys of the number pad can be shifted around pseudorandomly upon receipt of a permutating signal, which may be a user input or may be issued automatically after each key input.